{
	"id": "e7d70524-fb94-4e41-a25f-ff4486eb9c71",
	"created_at": "2026-04-06T02:12:08.806743Z",
	"updated_at": "2026-04-10T03:32:46.059115Z",
	"deleted_at": null,
	"sha1_hash": "a10c709b14126378d3f8d56b9ef1898f8c261cbd",
	"title": "Tricks, Treats, and Threats: Cobalt Strike \u0026 the Goblin Lurking in Plain Sight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7020904,
	"plain_text": "Tricks, Treats, and Threats: Cobalt Strike \u0026 the Goblin Lurking in Plain\r\nSight\r\nPublished: 2024-10-31 · Archived: 2026-04-06 01:31:50 UTC\r\nTABLE OF CONTENTS\r\nA Curious Encounter: Analyzing the Open DirectoryGoblin's Tricks: Phishing with a PurposeBrowserGhost: A Phantom's\r\nApproach to Credential AccessClosing the Door on a Haunted DirectoryOpen Directory ObservablesShared Certificate\r\n(Major Cobalt Strike)Cobalt Strike Watermark (1359593325) Overlaps\r\nIn the spirit of Halloween, a recent open directory discovery offers a curious combination of tools-Cobalt Strike, Goblin, and\r\nBrowserGhost. These names may evoke a playful twist, but each represents serious capabilities often leveraged by red teams\r\nand adversaries. This collection of sinister tools sits waiting in the open, much like treats left out on Halloween night-but for\r\nthose who wander into this directory, the tricks are lurking, too.\r\nSummary of Findings:\r\nAn open directory exposed Cobalt Strike 4.2, a widely used post-exploitation framework, exploit code targeting\r\nvulnerabilities (CVEs) dating back to 2014.\r\nBrowserGhost, is a red team tool for extracting saved passwords from web browsers, suggesting a focus on credential\r\ntheft.\r\nThe open-source Goblin phishing tool possibly used to target Chinese-speaking educational platforms and steal user\r\ncredentials.\r\nA Curious Encounter: Analyzing the Open Directory\r\nThe open directory hosted at 199.187.25[.]57:8899 on Cloudie Limited's ASN in Hong Kong provided a unique glimpse\r\ninto a collection of tools likely used for malicious purposes. Among the contents was Cobalt Strike version 4.2, released in\r\nNovember 2020, a folder named \"goblin,\" which we'll cover later, and logs capturing command history and output.\r\nFigure 1: Screenshot of the open directory page for the server at 199.187.25[.]57 in Hunt\r\nThe server, likely running a Linux-based operating system, hosted the directory using Python 3.8.10 SimpleHTTP version\r\n0.6. Beyond the directory contents, Hunt scanners identified several Cobalt Strike team servers on ports 88, 4343, and 5555.\r\nAn Nginx web server on port 80 responded with a 404 error displaying a \"Site Not Found\" message in Simplified Chinese.\r\nhttps://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight\r\nPage 1 of 6\n\nFigure 2: Overview of the suspicious IP, including ports, domains, and associations in Hunt\r\nInterestingly, the watermark extracted from the beacon configuration (click the \"i\" button next to the Cobalt Strike symbol),\r\n1359593325 , was seen associated with just 15 other servers according to our visibility. Such a small number of servers\r\nsharing this unique identifier suggests a distinct but possibly more extensive managed operation.\r\nNested within the cs4.2 folder were additional payloads targeting historical vulnerabilities like CVE-2014-4113 and CVE-2020-0796, Meterpreter, and web shell payloads-evidence of a comprehensive toolkit geared towards exploitation and\r\npersistence.\r\nFigure 3: Snippet of the IPs observed sharing the same Cobalt Strike Watermark (Source: Hunt)\r\n*A complete list of all the IP addresses sharing the watermark can be found at the end of this post.\r\nhttps://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight\r\nPage 2 of 6\n\nOn October 15, this server briefly hosted a well-known Cobalt Strike TLS certificate, SHA-256 hash:\r\nDFA9B3E8B5E0F229ECB2FB479544650D0B87EB8494CE176714CF4E53DBAFD687 for just one day. The only other IP to share this\r\ncertificate was 47.108.74[.]30 , hosted on Aliyun Computing Co. LTD's ASN, indicating potential shared infrastructure or\r\ncoordination between two servers/actors.\r\nFigure 4: Screenshot of IPs sharing the same certificate (Source: Hunt)\r\nGoblin's Tricks: Phishing with a Purpose\r\nThe Goblin phishing tool, as described in its GitHub project overview, serves as a platform for red and blue team exercises.\r\nGoblin operates by proxying traffic to mimic user interactions while remaining unobtrusive, allowing for an authentic\r\nsimulation of phishing attempts. Its customizable plug-ins and support for embedded JavaScript make it adaptable for\r\nlegitimate training scenarios and potential malicious use.\r\nFigure 4: Screenshot of the English-language README version of the Goblin Project (Source: GitHub)\r\nA review of Goblin's YAML configuration file in the directory reveals that the operator has configured traffic to proxy\r\nthrough yunxiao[.]com , a domain associated with Alibaba Cloud's Yunxiao DevOps platform, and laoshanedu.cn . While\r\nthe purpose behind this setup remains unclear, our analysis failed to reveal any injected JavaScript or identifiable phishing\r\ntargets.\r\nhttps://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight\r\nPage 3 of 6\n\nFigure 5: Snippet of the Goblin YAML config file from the Hunt open directory page\r\nFurther analysis revealed that laoshanedu[.]cn was registered in November 2023 with Beijing Xinnet Digital Information\r\nTechnology Co., Ltd. and used nameservers from xincache[.]com . Using an education-based naming format and recent\r\nsetup suggests the domain may serve as a plausible cover for Goblin, potentially mimicking an educational institution.\r\nFigure 6: DNS \u0026 WhoIs records in VirusTotal for laoshanedu[.]cn\r\nBrowserGhost: A Phantom's Approach to Credential Access\r\nThe final tool we'll examine, BrowserGhost, is another open-source utility, this time found within the Cobalt Strike folder,\r\ndesigned to extract stored passwords from popular web browsers, including Chrome, Firefox, 360 Extreme, and Edge.\r\nhttps://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight\r\nPage 4 of 6\n\nFigure 7: Screenshot of the BrowserGhost README in GitHub\r\nAlongside BrowserGhost, the directory also contained HackBrowserData, a tool specifically built to extract and decrypt\r\nsensitive browser information. This combination of tools hints at an operator with a strong interest in harvesting browser-stored credentials, signaling a well-equipped red team or an adversary with a clear focus on data exfiltration from\r\ncompromised systems.\r\nFigure 8: Screenshot of multiple files within the cs4.2 folder, including BrowserGhost and HackBrowserData\r\nClosing the Door on a Haunted Directory\r\nIn wrapping up our Halloween dive into this open directory, we've highlighted tools like Cobalt Strike, Goblin, and\r\nBrowserGhost—each with capabilities that extend from red teaming to potentially darker uses. Our findings highlight how\r\nsuch tools, although often seen in professional settings, can be used for more sinister purposes—a reminder of the treats and\r\ntricks still hidden within the cybersecurity threat landscape.\r\nIf you want to learn more about these spooky threats and light your Jack-o-lantern against their tricks, get in touch with\r\nHunt.io!\r\nhttps://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight\r\nPage 5 of 6\n\nOpen Directory Observables\r\nIP Address Hosting Country ASN Cobalt Strike Watermark\r\n1199.187.25[.]57:8899 HK Cloudie Limited 1359593325\r\nIP Address\r\nHosting\r\nCountry\r\nASN Domain(s) Certificate\r\n47.108.74[.]30 CN\r\nHangzhou\r\nAlibaba\r\nAdvertising\r\nCo.,Ltd.\r\ntbc.cbshscs.comtom[.]cn\r\ncbshscs.comtom[.]cn\r\nfile.cbshscs.comtom[.]cn\r\nCommon Name: Major Cobalt Strike\r\nCountry: Earth\r\nOrg: cobaltstrike\r\nOrgUnit: AdvancedPenTesting\r\nCity: Somewhere\r\nState: Cyberspace\r\nSHA-256 Hash:\r\nDFA9B3E8B5E0F229ECB2FB479544650D0B87EB8494CE176714CF\r\nCobalt Strike Watermark (1359593325) Overlaps\r\nIP Address\r\nHosting\r\nCountry\r\nASN Domain(s)\r\n43.134.183.43 HK Tencent Building, Kejizhongyi Avenue N/A\r\n101.132.182.180 CN Hangzhou Alibaba Advertising Co.,Ltd. N/A\r\n106.15.40[.]123 CN Hangzhou Alibaba Advertising Co.,Ltd. N/A\r\n39.98.196[.]145 CN Zhejiang Taobao Network Co.,Ltd N/A\r\n94.74.105[.]131 HK HUAWEI CLOUDS N/A\r\n1.15.247[.]249 CN\r\nShenzhen Tencent Computer Systems Company\r\nLimited\r\nN/A\r\n1.117.72[.]154 CN\r\nShenzhen Tencent Computer Systems Company\r\nLimited\r\nN/A\r\n27.102.118[.]70 SK DAOU TECHNOLOGY\r\nns1.kjdfklha[.]top\r\nns2.kjdfklha[.]top\r\nkjdfklha[.]top\r\nblog.kjdfklha[.]top\r\n210.1.226.[.]164 MA TechAvenue Malaysia N/A\r\n101.43.157[.]20 CN\r\nShenzhen Tencent Computer Systems Company\r\nLimited\r\nN/A\r\n106.52.236[.]88 CN\r\nShenzhen Tencent Computer Systems Company\r\nLimited\r\nsrc.idvfecx.qiniudns[.]com\r\n111.231.140[.]197 CN\r\nShenzhen Tencent Computer Systems Company\r\nLimited\r\nN/A\r\n124.221.167[.]192 CN\r\nShenzhen Tencent Computer Systems Company\r\nLimited\r\nN/A\r\n117.72.10[.]22 CN\r\nBeijing Jingdong 360 Degree E-commerce Co.,\r\nLtd.\r\ndn2ufncur4f3f[.]shop\r\n119.3.153[.]81 CN Huawei Cloud Service data center N/A\r\nSource: https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight\r\nhttps://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight\r\nPage 6 of 6\n\nFigure 1: Screenshot The server, likely running of the open directory a Linux-based operating page for the server at 199.187.25[.]57 system, hosted in Hunt the directory using Python 3.8.10 SimpleHTTP version\n0.6. Beyond the directory contents, Hunt scanners identified several Cobalt Strike team servers on ports 88, 4343, and 5555.\nAn Nginx web server on port 80 responded with a 404 error displaying a \"Site Not Found\" message in Simplified Chinese.\n  Page 1 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight"
	],
	"report_names": [
		"tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441528,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a10c709b14126378d3f8d56b9ef1898f8c261cbd.pdf",
		"text": "https://archive.orkl.eu/a10c709b14126378d3f8d56b9ef1898f8c261cbd.txt",
		"img": "https://archive.orkl.eu/a10c709b14126378d3f8d56b9ef1898f8c261cbd.jpg"
	}
}